Presentation is loading. Please wait.

Presentation is loading. Please wait.

TOPIC: Web Security Models

Published byRudolph Harrell Modified over 6 years ago

Similar presentations

Presentation on theme: "TOPIC: Web Security Models"— Presentation transcript:

1 TOPIC: Web Security Models
Course : WEB ENGINEERING Paper Code: ETCS-308 TOPIC: Web Security Models 1

2 WEB SECURITY MODEL Web security is a major concern due to massive interconnection of heterogeneous & distributed systems. For secure Internet Infrastructure Access control services Communication security services (Protect internet resources from Unauthorized use ) (confidentiality & integrity of data transmitted over the network. In addition to non-repudiation of services to the communicating entities)

3 WEB SECURITY MODEL An important pre-requisite for access control is authentication. Handled by communication security services Through PKI facilities. Don’t provide any mechanism for access control at the end user system. A joint study on computer crimes conducted by the computer security institute (CSI) and the FBI indicates that most serious losses in enterprises occur through unauthorized access by insiders. The study observed that 71% of responders had detected unauthorized access by insiders. Hence, there is a strong need for efficient security management and administration functions in an enterprise. There is a strong need for developing new access control models or to extend the existing one to neutralize security threats.

4 WEB SECURITY MODEL Several approaches have been proposed to address the access control requirements of distributed applications. Approaches for Web Security Models Agent based Certificate based Hypertext based authorizations Role base Access control (RBAC) Mandatory Access Control (MAC) Task base access control (TBAC) Discretionary Access control (DAC)

5 WEB SECURITY MODELS

6 WEB SECURITY MODELS

7 WEB SECURITY MODELS Bell-LaPadula Model Harrison-Ruzo-Ullman Model
Biba Model Clark-Wilson Model Chinese Wall Model

8 Bell-LaPadula (BLP) Model
The Bell–LaPadula model focuses on data confidentiality and controlled access to classified information. It was developed by David Elliott Bell and Leonard J. LaPadula to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy. The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g., "Top Secret"), down to the least sensitive (e.g., "Unclassified" or "Public").

9 Bell-LaPadula (BLP) Model
The Bell–LaPadula model is built on the concept of a state machine with a set of allowable states in a computer system. The transition from one state to another state is defined by transition functions. The model defines two mandatory access control (MAC) rules and one discretionary access control (DAC) rule with three security properties: Simple security property (ss property) : a subject at a given security level may not read an object at a higher security level (no read-up). *-property (read "star"-property) - a subject at a given security level must not write to any object at a lower security level (no write-down). The Discretionary Security Property (ds-property) - use of an access matrix to specify the discretionary access control.

10 Bell-LaPadula (BLP) Model
A secure system satisfies all of these properties. BLP includes mathematical proof that if a system is secure and a transition satisfies all of the properties, then the system will remain secure. Limitations: This model limits its applicability to systems where security levels do not change dynamically. It allows controlled copying from high to low via trusted subjects. The state-transition model does not contain any state invariants.

11 Biba Model The Biba Model or Biba Integrity Model is developed by Kenneth J. Biba in 1975.  It is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. In general the model was developed to address integrity as the core principle, which is the direct inverse of the Bell–LaPadula model. This security model is directed toward data integrity (rather than confidentiality) and is characterized by the phrase: "no read down, no write up". This is in contrast to the Bell-LaPadula model which is characterized by the phrase "no write down, no read up".

12 Biba Model The Biba model defines a set of security rules, the first two of which are similar to the Bell-LaPadula model. These first two rules are the reverse of the Bell-LaPadula rules: Invocation Property states that a process from below can not request higher access; only with subjects at an equal or lower level. The Simple Integrity Axiom states that a subject at a given level of integrity must not read an object at a lower integrity level (no read down). The * (star) Integrity Axiom states that a subject at a given level of integrity must not write to any object at a higher level of integrity (no write up).

13 Clark-Wilson Model The Clark–Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system. The model was described in a 1987 paper (A Comparison of Commercial and Military Computer Security Policies) by David D. Clark and David R. Wilson. The model’s enforcement and certification rules define data items and processes that provide the basis for an integrity policy. The core of the model is based on the notion of a transaction. A well-formed transaction is a series of operations that transition a system from one consistent state to another consistent state. In this model the integrity policy addresses the integrity of the transactions. The principle of separation of duty requires that the certifier of a transaction and the implementer be different entities.

14 Clark-Wilson Model The model contains a number of basic constructs that represent both data items and processes that operate on those data items. The key data type in the Clark– Wilson model is a Constrained Data Item (CDI). An Integrity Verification Procedure (IVP) ensures that all CDIs in the system are valid at a certain state. Transactions that enforce the integrity policy are represented by Transformation Procedures (TPs). A TP takes as input a CDI or Unconstrained Data Item (UDI) and produces a CDI. A TP must transition the system from one valid state to another valid state. UDIs represent system input (such as that provided by a user or adversary). A TP must guarantee (via certification) that it transforms all possible values of a UDI to a “safe” CDI.

15 Clark-Wilson Model At the heart of the model is the relationship between an authenticated principal (i.e., user) and a set of programs (i.e., TPs) that operate on a set of data items (e.g., UDIs and CDIs). The components of such a relation, taken together, are referred to as a Clark–Wilson triple. The model consists of two sets of rules: Certification Rules (C) and Enforcement Rules (E). The nine rules ensure the external and internal integrity of the data items. To paraphrase these: C1—When an IVP is executed, it must ensure the CDIs are valid. C2—For some associated set of CDIs, a TP must transform those CDIs from one valid state to another. Since we must make sure that these TPs are certified to operate on a particular CDI, we must have E1 and E2.

16 Clark-Wilson Model E1—System must maintain a list of certified relations and ensure only TPs certified to run on a CDI change that CDI. E2—System must associate a user with each TP and set of CDIs. The TP may access the CDI on behalf of the user if it is “legal.” This requires keeping track of triples (user, TP, {CDIs}) called “allowed relations.” C3—Allowed relations must meet the requirements of “separation of duty.” We need authentication to keep track of this. E3—System must authenticate every user attempting a TP. Note that this is per TP request, not per login. For security purposes, a log should be kept.

17 Clark-Wilson Model C4—All TPs must append to a log enough information to reconstruct the operation. When information enters the system it need not be trusted or constrained (i.e. can be a UDI). We must deal with this appropriately. C5—Any TP that takes a UDI as input may only perform valid transactions for all possible values of the UDI. The TP will either accept (convert to CDI) or reject the UDI. Finally, to prevent people from gaining access by changing qualifications of a TP: E4—Only the certifier of a TP may change the list of entities associated with that TP.

18 Clark-Wilson versus Biba
In Biba’s model, UDI to CDI conversion is performed by trusted subject only (e.g., a security officer), but this is problematic for data entry function. In Clark-Wilson, TPs are specified for particular users and functions. Biba’s model does not offer this level of granularity.

19 Harrison-Ruzo-Ullman Model
BLP does not state policies for changing access rights or for the creation and deletion of subjects and objects. The Harrison-Ruzzo-Ullman (HRU) model defines authorisation systems that address these issues. The HRU security model (Harrison, Ruzzo, Ullman model) is an operating system level computer security model which deals with the integrity of access rights in the system. The components of the HRU model: – a set of subjects S, – a set of objects O, – a set of access rights R, – an access matrix the entry Mso is the subset of ‘R’ specifying the rights subject ‘s’ has on object ‘o’.

20 Harrison-Ruzo-Ullman Model

21 Chinese Wall Focus is on conflicts of interest.
Principle: Users should not access the confidential information of both a client organization and one or more of its competitors. How it works ? Users have no “wall” initially. Once any given file is accessed, files with competitor information become inaccessible. Unlike other models, access control rules change with user behavior

22 THANK YOU

Download ppt "TOPIC: Web Security Models"

Similar presentations

TOPIC CLARK-WILSON MODEL Ravi Sandhu.

TOPIC CLARK-WILSON MODEL Ravi Sandhu.
Title ON FOUR DEFINITIONS OF DATA INTEGRITY Ravi Sandhu George Mason University FIVE.

Title ON FOUR DEFINITIONS OF DATA INTEGRITY Ravi Sandhu George Mason University FIVE.
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Operating System Security

Operating System Security
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Access Control Methodologies

Access Control Methodologies
Security Models and Architecture

Security Models and Architecture
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.

Chapter 2.  CIA Model  Host Security VS Network Security  Least Privileges  Layered Security  Access Controls Prepared by Mohammed Saher2.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Verifiable Security Goals

Verifiable Security Goals
1 Clark Wilson Implementation Shilpa Venkataramana.

1 Clark Wilson Implementation Shilpa Venkataramana.
1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.

1 Integrity Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 22, 2004.
Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.

Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model Introduction to Computer Security ©2004 Matt Bishop.
Information Systems Security Security Architecture Domain #5.

Information Systems Security Security Architecture Domain #5.
CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.

CS526Topic 21: Integrity Models1 Information Security CS 526 Topic 21: Integrity Protection Models.
User Domain Policies.

User Domain Policies.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.

Similar presentations

Ads by Google